Legal Updates

‘Data is fast becoming more valuable than gold’ – Monica Atwal writes for City AM

Data is the new gold, but we do not value this precious commodity, giving our data away too freely.

Data protection is the new hot topic. On 25 May 2018, data protection laws are undergoing radical reform.

The EU’s General Data Protection Regulation (GDPR) will shakeup the imbalance of power which organisations have on individuals and their data. You only need to look at the Facebook and Cambridge Analytica scandal to realise people are finally waking up, with concerns about how their personal data is being used.

But individuals need to take responsibility. We use sites all the time expecting no cost, and adverts regularly pop up which closely mirror our searches on unrelated sites.

We think we cannot be manipulated. But in the age of technology, the ability to analyse patterns means that organisations know us better than we know ourselves, and we are at risk of being exploited.

Headlines about the GDPR make tough reading for organisations. Maximum fines for data breaches will increase from £500,000 (under the Data Protection Act) to €20m, or four per cent of an organisation’s global annual turnover (whichever is higher).

Recent high-profile fines by the Information Commissioner’s Office include £400,000 to both Carphone Warehouse in January 2018 and TalkTalk in 2016, after customers’ data was hacked.

Data security is now pivotal. Data breaches can occur either externally or internally, and safeguards are needed to protect IT systems which hold personal data.

The GDPR enhances individuals’ rights over their data. It introduces new rights (such the right to have personal data removed or amended), as well as strengthening existing rights.

Where individuals consent to their data being processed, they may later challenge any processing and withdraw their consent.

It must be as easy to withdraw as it was to give. But individuals need to carefully consider the consent they are giving and be aware of the risk.

All of us must be mindful of what we are putting out in the public domain, as the ability to analyse swathes of information from various sources is the real gold mine.

If businesses have lawful grounds to process personal data, these must be made clear to individuals before the data is processed.

While the days of secretly gathering information for an organisation’s own means are supposedly coming to an end, that is unrealistic, as the capabilities of technology and malignant forces means there will always be risks.

Unless there is a global code of protection, transferring data overseas will become more challenging.

The GDPR sets the benchmark, and will generally require data that is transferred outside the EU to have adequate levels of local data protection. The UK is currently drafting a new Data Protection Bill to largely mirror the GDPR for this purpose.

The GDPR places severe financial sanctions on organisations who fail to comply. The reputational damage for major breaches could be even more costly. While it is not too late, organisations that have not yet considered GDPR need to wake up and act fast.